The Return of NJRat
NJRat is a remote-access Trojan that has been used for the last few years. We haven’t heard much about NJRat since April 2014, but some samples we’ve recently received show that this malware is making a comeback. ( For some background on NJRat, a 2013 report from Fidelis Cybersecurity Solutions at General Dynamics detailed indicators, domains, and TTP’s in conjunction with cyber-attacks using NJRat.)
Using the PhishMe Reporter button, several internal users at PhishMe reported the following suspicious email (Figure 1):
Once clicked, the user is brought to a download page where they are given the option to download the file “NFSW_Car_Changer.exe” (Figure 2).
The executable is compiled with .NET 4.0. (Figure 3) This is worth mentioning because most of the malware today is written in C/C++.
The biggest benefit for malware to be written in .NET is that it can be difficult to decode and see what is truly going on. While the .NET code can be decompiled back to the original code (not 100%, but closer than most), regular analysis techniques can throw off analysis, as the code is different. This is why we often have to rely on dynamic analysis, or just double-clicking the file, for .NET analysis
Once the malware runs, it copies itself to %temp%/explorer.exe and begins to attempt connections with zunigle.ddns[d]net. The current resolution for this IP address is 193.180.164[d]235 (Figure 4).
Once established, the malware attempts to send different pieces of information to the end user. (Figure 5) For NJRat, the traffic is typically encoded with base64, and can be decoded right from command line (Figure 6). This includes the campaign code as well as windows that were clicked during analysis.
The IP address appears to be part of VPN infrastructure. Based off of the analysis from the Fidelis article, the VPN infrastructure and no-IP dynamic DNS matches up very well. VPN references also match up with one of the two NJRat Facebook pages:
The malware can be found here: